--- /dev/null
+From 97fc15436b36ee3956efad83e22a557991f7d19d Mon Sep 17 00:00:00 2001
+From: Kyle McMartin <kyle@redhat.com>
+Date: Wed, 12 Nov 2014 21:07:44 +0000
+Subject: arm64: __clear_user: handle exceptions on strb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kyle McMartin <kyle@redhat.com>
+
+commit 97fc15436b36ee3956efad83e22a557991f7d19d upstream.
+
+ARM64 currently doesn't fix up faults on the single-byte (strb) case of
+__clear_user... which means that we can cause a nasty kernel panic as an
+ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
+i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
+
+This is a pretty obscure bug in the general case since we'll only
+__do_kernel_fault (since there's no extable entry for pc) if the
+mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
+always fault.
+
+if (!down_read_trylock(&mm->mmap_sem)) {
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+retry:
+ down_read(&mm->mmap_sem);
+} else {
+ /*
+ * The above down_read_trylock() might have succeeded in
+ * which
+ * case, we'll have missed the might_sleep() from
+ * down_read().
+ */
+ might_sleep();
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+}
+
+Fix that by adding an extable entry for the strb instruction, since it
+touches user memory, similar to the other stores in __clear_user.
+
+Signed-off-by: Kyle McMartin <kyle@redhat.com>
+Reported-by: Miloš Prchlík <mprchlik@redhat.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/lib/clear_user.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/clear_user.S
++++ b/arch/arm64/lib/clear_user.S
+@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 )
+ sub x1, x1, #2
+ 4: adds x1, x1, #1
+ b.mi 5f
+- strb wzr, [x0]
++USER(9f, strb wzr, [x0] )
+ 5: mov x0, #0
+ ret
+ ENDPROC(__clear_user)
--- /dev/null
+From ece9c72accdc45c3a9484dacb1125ce572647288 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 30 Oct 2014 20:43:38 +0100
+Subject: block: Fix computation of merged request priority
+
+From: Jan Kara <jack@suse.cz>
+
+commit ece9c72accdc45c3a9484dacb1125ce572647288 upstream.
+
+Priority of a merged request is computed by ioprio_best(). If one of the
+requests has undefined priority (IOPRIO_CLASS_NONE) and another request
+has priority from IOPRIO_CLASS_BE, the function will return the
+undefined priority which is wrong. Fix the function to properly return
+priority of a request with the defined priority.
+
+Fixes: d58cdfb89ce0c6bd5f81ae931a984ef298dbda20
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioprio.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/ioprio.c
++++ b/fs/ioprio.c
+@@ -157,14 +157,16 @@ out:
+
+ int ioprio_best(unsigned short aprio, unsigned short bprio)
+ {
+- unsigned short aclass = IOPRIO_PRIO_CLASS(aprio);
+- unsigned short bclass = IOPRIO_PRIO_CLASS(bprio);
++ unsigned short aclass;
++ unsigned short bclass;
+
+- if (aclass == IOPRIO_CLASS_NONE)
+- aclass = IOPRIO_CLASS_BE;
+- if (bclass == IOPRIO_CLASS_NONE)
+- bclass = IOPRIO_CLASS_BE;
++ if (!ioprio_valid(aprio))
++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
++ if (!ioprio_valid(bprio))
++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
+
++ aclass = IOPRIO_PRIO_CLASS(aprio);
++ bclass = IOPRIO_PRIO_CLASS(bprio);
+ if (aclass == bclass)
+ return min(aprio, bprio);
+ if (aclass > bclass)
--- /dev/null
+From eaca2d8e75e90a70a63a6695c9f61932609db212 Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Tue, 11 Nov 2014 17:16:44 +0100
+Subject: firewire: cdev: prevent kernel stack leaking into ioctl arguments
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit eaca2d8e75e90a70a63a6695c9f61932609db212 upstream.
+
+Found by the UC-KLEE tool: A user could supply less input to
+firewire-cdev ioctls than write- or write/read-type ioctl handlers
+expect. The handlers used data from uninitialized kernel stack then.
+
+This could partially leak back to the user if the kernel subsequently
+generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
+which notably would contain the _u64 closure field which many of the
+ioctl argument structures contain.
+
+The fact that the handlers would act on random garbage input is a
+lesser issue since all handlers must check their input anyway.
+
+The fix simply always null-initializes the entire ioctl argument buffer
+regardless of the actual length of expected user input. That is, a
+runtime overhead of memset(..., 40) is added to each firewirew-cdev
+ioctl() call. [Comment from Clemens Ladisch: This part of the stack is
+most likely to be already in the cache.]
+
+Remarks:
+ - There was never any leak from kernel stack to the ioctl output
+ buffer itself. IOW, it was not possible to read kernel stack by a
+ read-type or write/read-type ioctl alone; the leak could at most
+ happen in combination with read()ing subsequent event data.
+ - The actual expected minimum user input of each ioctl from
+ include/uapi/linux/firewire-cdev.h is, in bytes:
+ [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
+ [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20,
+ [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8,
+ [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
+ [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4.
+
+Reported-by: David Ramos <daramos@stanford.edu>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/core-cdev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client
+ _IOC_SIZE(cmd) > sizeof(buffer))
+ return -ENOTTY;
+
+- if (_IOC_DIR(cmd) == _IOC_READ)
+- memset(&buffer, 0, _IOC_SIZE(cmd));
++ memset(&buffer, 0, sizeof(buffer));
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
--- /dev/null
+From 8c393f9a721c30a030049a680e1bf896669bb279 Mon Sep 17 00:00:00 2001
+From: Peng Tao <tao.peng@primarydata.com>
+Date: Wed, 5 Nov 2014 22:36:50 +0800
+Subject: nfs: fix pnfs direct write memory leak
+
+From: Peng Tao <tao.peng@primarydata.com>
+
+commit 8c393f9a721c30a030049a680e1bf896669bb279 upstream.
+
+For pNFS direct writes, layout driver may dynamically allocate ds_cinfo.buckets.
+So we need to take care to free them when freeing dreq.
+
+Ideally this needs to be done inside layout driver where ds_cinfo.buckets
+are allocated. But buckets are attached to dreq and reused across LD IO iterations.
+So I feel it's OK to free them in the generic layer.
+
+Signed-off-by: Peng Tao <tao.peng@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 1 +
+ include/linux/nfs_xdr.h | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -180,6 +180,7 @@ static void nfs_direct_req_free(struct k
+ {
+ struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref);
+
++ nfs_free_pnfs_ds_cinfo(&dreq->ds_cinfo);
+ if (dreq->l_ctx != NULL)
+ nfs_put_lock_context(dreq->l_ctx);
+ if (dreq->ctx != NULL)
+--- a/include/linux/nfs_xdr.h
++++ b/include/linux/nfs_xdr.h
+@@ -1184,11 +1184,22 @@ struct nfs41_free_stateid_res {
+ unsigned int status;
+ };
+
++static inline void
++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
++{
++ kfree(cinfo->buckets);
++}
++
+ #else
+
+ struct pnfs_ds_commit_info {
+ };
+
++static inline void
++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
++{
++}
++
+ #endif /* CONFIG_NFS_V4_1 */
+
+ struct nfs_page;
--- /dev/null
+From 2fe749f50b0bec07650ef135b29b1f55bf543869 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 10 Nov 2014 21:46:18 +0100
+Subject: parisc: Use compat layer for msgctl, shmat, shmctl and semtimedop syscalls
+
+From: Helge Deller <deller@gmx.de>
+
+commit 2fe749f50b0bec07650ef135b29b1f55bf543869 upstream.
+
+Switch over the msgctl, shmat, shmctl and semtimedop syscalls to use the compat
+layer. The problem was found with the debian procenv package, which called
+ shmctl(0, SHM_INFO, &info);
+in which the shmctl syscall then overwrote parts of the surrounding areas on
+the stack on which the info variable was stored and thus lead to a segfault
+later on.
+
+Additionally fix the definition of struct shminfo64 to use unsigned longs like
+the other architectures. This has no impact on userspace since we only have a
+32bit userspace up to now.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/shmbuf.h | 25 +++++++++----------------
+ arch/parisc/kernel/syscall_table.S | 8 ++++----
+ 2 files changed, 13 insertions(+), 20 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/shmbuf.h
++++ b/arch/parisc/include/uapi/asm/shmbuf.h
+@@ -36,23 +36,16 @@ struct shmid64_ds {
+ unsigned int __unused2;
+ };
+
+-#ifdef CONFIG_64BIT
+-/* The 'unsigned int' (formerly 'unsigned long') data types below will
+- * ensure that a 32-bit app calling shmctl(*,IPC_INFO,*) will work on
+- * a wide kernel, but if some of these values are meant to contain pointers
+- * they may need to be 'long long' instead. -PB XXX FIXME
+- */
+-#endif
+ struct shminfo64 {
+- unsigned int shmmax;
+- unsigned int shmmin;
+- unsigned int shmmni;
+- unsigned int shmseg;
+- unsigned int shmall;
+- unsigned int __unused1;
+- unsigned int __unused2;
+- unsigned int __unused3;
+- unsigned int __unused4;
++ unsigned long shmmax;
++ unsigned long shmmin;
++ unsigned long shmmni;
++ unsigned long shmseg;
++ unsigned long shmall;
++ unsigned long __unused1;
++ unsigned long __unused2;
++ unsigned long __unused3;
++ unsigned long __unused4;
+ };
+
+ #endif /* _PARISC_SHMBUF_H */
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -286,11 +286,11 @@
+ ENTRY_COMP(msgsnd)
+ ENTRY_COMP(msgrcv)
+ ENTRY_SAME(msgget) /* 190 */
+- ENTRY_SAME(msgctl)
+- ENTRY_SAME(shmat)
++ ENTRY_COMP(msgctl)
++ ENTRY_COMP(shmat)
+ ENTRY_SAME(shmdt)
+ ENTRY_SAME(shmget)
+- ENTRY_SAME(shmctl) /* 195 */
++ ENTRY_COMP(shmctl) /* 195 */
+ ENTRY_SAME(ni_syscall) /* streams1 */
+ ENTRY_SAME(ni_syscall) /* streams2 */
+ ENTRY_SAME(lstat64)
+@@ -323,7 +323,7 @@
+ ENTRY_SAME(epoll_ctl) /* 225 */
+ ENTRY_SAME(epoll_wait)
+ ENTRY_SAME(remap_file_pages)
+- ENTRY_SAME(semtimedop)
++ ENTRY_COMP(semtimedop)
+ ENTRY_COMP(mq_open)
+ ENTRY_SAME(mq_unlink) /* 230 */
+ ENTRY_COMP(mq_timedsend)
--- /dev/null
+From 48379270fe6808cf4612ee094adc8da2b7a83baa Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 3 Nov 2014 19:36:40 +0100
+Subject: scsi: only re-lock door after EH on devices that were reset
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 48379270fe6808cf4612ee094adc8da2b7a83baa upstream.
+
+Setups that use the blk-mq I/O path can lock up if a host with a single
+device that has its door locked enters EH. Make sure to only send the
+command to re-lock the door to devices that actually were reset and thus
+might have lost their state. Otherwise the EH code might be get blocked
+on blk_get_request as all requests for non-reset devices might be in use.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reported-by: Meelis Roos <meelis.roos@ut.ee>
+Tested-by: Meelis Roos <meelis.roos@ut.ee>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_error.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1689,8 +1689,10 @@ static void scsi_restart_operations(stru
+ * is no point trying to lock the door of an off-line device.
+ */
+ shost_for_each_device(sdev, shost) {
+- if (scsi_device_online(sdev) && sdev->locked)
++ if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) {
+ scsi_eh_lock_door(sdev);
++ sdev->was_reset = 0;
++ }
+ }
+
+ /*
mac80211-fix-use-after-free-in-defragmentation.patch
drm-radeon-add-missing-crtc-unlock-when-setting-up-the-mc.patch
arm-8198-1-make-kuser-helpers-depend-on-mmu.patch
+arm64-__clear_user-handle-exceptions-on-strb.patch
+firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch
+nfs-fix-pnfs-direct-write-memory-leak.patch
+scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch
+parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch
+block-fix-computation-of-merged-request-priority.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
